What is federated authentication?
Federated authentication enables users to sign onto Mediaocean applications using the email address and password they use for their own organization’s applications. Their organization’s authentication system validates and maintains the user credentials.
What is single sign-on?
SSO (single sign-on) enables a user to enter their sign-on credentials in one application and this gives them access to all of their SSO applications without the need to sign on again.
Is federated authentication the same as single sign-on?
This depends on how the federated authentication is configured, and so is under the client’s control.
An organization can configure their federated authentication so that a user only has to sign on to one application to get access to all their applications (SSO), or it could enable them to use the same credentials in all their applications, but they still have to physically sign on to each application separately (non-SSO).
What are the benefits of using federated authentication?
For general users:
- They have fewer sign-on credentials to create, manage, and use.
- Buyer workflow (Prisma), Trading desk workflow (Radia), Estimates and costs (Aura): Mediaocean DS mainframe and MX agency users can switch between locations without having to sign out and sign on again.
For client administrators:
- They can control user access for authentication. User authorization is still controlled by the respective buy system, for example, Mediaocean DS or OX.
- Security is increased as user passwords aren’t shared with third party applications.
- Buyer workflow (Prisma), Trading desk workflow (Radia): Users access Mediaocean’s web applications over the internet with no need for VPN as access is under their control and they are HTTPS.
- Terminating a user’s credentials on their system also stops the user from accessing Mediaocean applications.
Which IDPs do we support?
All IDPs (identity providers) that support the SAML2 protocol are supported. For example:
- Microsoft’s Active Directory
- Azure AD
Are multiple IDPs supported for the same alpha, tenant, or owner organization?
Mediaocean applications don’t support multiple IDPs for users under one alpha, tenant, or owner organization.
Which tool does Mediaocean use to federate?
Mediaocean use PingFederate to provide federated identity management.
Does this mean that Mediaocean web applications are available on the public internet?
Yes, depending on the way your IDP is configured, federated authentication enables users to access their Mediaocean web applications over the public internet without the need for VPN.
Which Mediaocean applications support federation?
All Mediaocean web applications support federated authentication, but desktop and mainframe applications aren’t supported.
Which sign-on page do they use?
The sign-on page, any password-related settings, and user account termination, are controlled by the client organization.
What happens if the user tries to sign on from the current Mediaocean sign-on page?
If an organization is set up to be federated, users can’t sign on using the regular URL.
How do we support a user who can't sign on?
As the sign-on page is under the client organization’s control, any problems with signing on can only be resolved by their internal support team.
What if the user password has expired?
All password-related issues are dealt with by the client organization’s internal support team.
(For Mediaocean DS and OX agencies) How do we link the user to their mainframe PID or OX user name?
Buyer workflow (Prisma), Trading desk workflow (Radia), Estimates and costs (Aura): : When the agency user signs on, they’re prompted to register the Mediaocean OX username or PID and the company ID(s) that they want to use. If a user has multiple PIDs or OX usernames, they can only select one to work with in the application at a time
How does application security know what data access and application permissions apply for a user?
The user’s data authorization is still maintained by the respective Mediaocean application.
In some instances, this can be configured to enable, for example, Mediaocean DS users of Buyer workflw (Prisma) to switch between company IDs without having to sign out and back on again.
(For Mediaocean DS and OX agencies) When the mainframe/OX is down, can the user still use Mediaocean applications?
No, because the permissions and data access information is provided by the mainframe/OX.
Do we have any organizations using federated authentication?
Federated authentication is being used by multiple major holding company partners for:
- Buyer workflow (Prisma)
- Estimates and costs (Aura)
- Trading desk workflow (Radia)
- Seller workflow (Prisma for Sellers)
- Global plans (Lumina)
What is the process for my organization to test this feature?
Contact Customer Experience to request this. They will coordinate setting this up in a test environment for you to preview before it’s turned on in production for your organization.
How are the application URLs allocated?
The federated authentication setup needs to be implemented individually for each agency owner (alpha), advertiser, or seller organization. This includes a single, dedicated URL for accessing the required Mediaocean application.
Application URLs can’t be shared across implementations.